Preventing Distributed Denial of Service Attacks

03/09/2000

Most of the press coverage of the recent spate of distributed denial of service (DoS) attacks against well-known web sites has focused on the hunt for the perpetrators, how they should be punished, and what effect all this will have on electronic commerce. Few reports have explained how the attacks occur, and fewer still have said anything about how we might prevent them.

Let's take a Linux-focused look at denial of service attacks and what we can do as responsible Internet citizens to assist in preventing them.

A denial of service attack is any act intended to cause a service
to become unavailable or unusable. In an Internet environment, a service might
be an application such as a web or mail server, or a network service like
routing of datagrams.

A simple form of denial of service attack involves
sending a stream of connection requests to a service in the hope of exhausting
the server of memory or by reaching the server connection limit, if it has one.
When either of these conditions occur, the server will either refuse further
connection requests or perform so poorly that the service becomes unusable to
others. More sophisticated denial of service attacks might involve exploiting
bugs or design problems in specific types of servers to cause the server
to become extremely busy or fail completely.

A distributed denial of service attack exploits several
machines to make the attack. Distributed denial of service
attacks are the most effective and insidious because they
can generate more traffic from more sources. This makes it
much harder to identify the attack's source, and more difficult to resolve.

Sometimes the
distributed denial of service attack involves cracking the security of a number
of hosts and installing a program to cause denial of service a remote
host. Other times the DoS attack exploits poorly configured networks and
weaknesses in the IP security model.

A good example of the latter form of
attack is the "Smurf" attack which involves sending ICMP echo request
datagrams (ping packets) to the broadcast address of large networks using a
faked or "spoofed" IP source address of the host to be attacked. An IP host will
respond to ICMP echo requests on either the nominal address or the broadcast
address of any its interfaces. When you ping the broadcast address of a network,
all active hosts on that network will respond so that for any one request there
are many replies. It is this amplification that makes this type of denial of
service attack so powerful.

Preventing this type of attack against your own hosts is difficult. If you want to prevent distributed denial of
service attacks on your hosts, the best hope you have is to prevent your own
hosts and networks from being used to cause denial of service attacks on others
and to encourage other network and system administrators to do the same.

So let's look at ways you can configure your Linux-based router and hosts to
assist in preventing distributed denial of service attacks. Imagine that we're
managing a simple installation comprising one router and three network
interfaces. The first is a PPP link to the Internet, and the others are
Ethernet interfaces supporting an IP network each. The interface details for
our example network are:

interface

address

netmask

ppp0

139.130.10.0

255.255.255.0

eth0

172.29.16.0

255.255.255.0

eth1

172.29.17.0

255.255.255.0

To keep these details handy as we work through the examples in this article, you can load them into a pop-up window
here.